Superfluous header added by Cloudflare

It’s nzcms.org.

Run this command, but put in the correct IP address of your origin webserver instead of 12.34.56.78:
curl -Ik --resolve www.nzcms.org:443:12.34.56.78 https://www.nzcms.org

That should show you the headers coming from your server.

You must be thinking of LiteSpeed Cache.

Thanks. The headers do not include X-Turbo-Charged-By.

HTTP/2 200
content-type: text/html
last-modified: Thu, 02 Apr 2020 00:00:08 GMT
accept-ranges: bytes
content-length: 6389
date: Sun, 18 Oct 2020 02:08:57 GMT
x-frame-options: DENY
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: same-origin
x-permitted-cross-domain-policies: none
content-security-policy: base-uri 'self'; default-src 'none'; connect-src 'self' https://www.google-analytics.com; child-src 'self' https://www.google.com; frame-ancestors 'self'; upgrade-insecure-requests; block-all-mixed-content; form-action 'self'; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com data:; media-src 'none'; img-src 'self' https://secure.gravatar.com https://www.googletagmanager.com https://s.w.org https://ps.w.org data:; object-src 'none'; style-src 'self' 'unsafe-hashes' 'unsafe-inline' https://fonts.googleapis.com; script-src 'self' 'unsafe-inline' https://maps.googleapis.com https://www.googletagmanager.com https://ajax.googleapis.com https://ajax.cloudflare.com https://static.cloudflareinsights.com https://cdnjs.cloudflare.com ;
feature-policy: geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; magnetometer 'none'; accelerometer 'none'; vr 'none'; speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; microphone 'none'
edit: Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
x-dns-prefetch-control: on
vary: Accept-Encoding

Hi,

You should have a look at this thread from the official LiteSpeed forum: https://bit.ly/345zzBc

If you believe you are NOT using LiteSpeed Cache and it is NOT installed as a WordPress Plugin, then you are most probably running a Shared Server that is running some LiteSpeed version in the background which is adding the X-Turbo-Charged-By: LiteSpeed header because you are also using a CDN (Cloudflare in this case). The aforementioned forum thread has more info about the issue.

Now, I’m really wondering why you want to remove that header? If it has no performance impact on your server, I wouldn’t put too much effort in removing it.

Thanks @janvitos. Litespeed cache nor its WordPress plugin is installed. Assuming it’s being added by the server, I would the headers to return the details from the origin which it didn’t.

The driver isn’t as much performance as to understand where the header is coming from so that if there is a need/desire to remove it, there is an option to do so easily.

Then it’s a good mystery. There’s not even a server: header in there. So I suspect you’ve already removed that.

Now the question is: How and Why does that header get inserted when going through Cloudflare? What interaction would trigger that?

Read that forum thread I posted and you will get some answers. They even provided different recommendations to remove or change the header.

It seems the header is only being added by the LiteSpeed backend when it detects it is passing through a CDN. But as one Well-Known Member stated on the thread, it isn’t coming from LiteSpeed Enterprise either, so it probably comes from another version installed on your Shared Server.

1 Like

That’s correct. Most of the remaining headers have been suppressed. Yes, it’s a mystery that seems to have no real insight. Is anyone else on the thread experiencing or potentially seen it occur with Cloudflare and the servers it is communicating with?

Stepping it through logically though, if the header is being introduced by another service, the curl responses should return these but they don’t. That’s the confusion.

Except that your curl request looks different from a Cloudflare request.

I believe your curl request is reaching your server directly and is NOT passing through Cloudflare. That’s why the X-Turbo-Charged-By: LiteSpeed header is NOT being returned. When you reach your website normally, you pass through Cloudflare and the header is returned from the backend.

Shouldn’t it? If no, what would you be expecting to see?

Sorry @janvitos. I’m confused. The purpose of running the curl command was to rule out it was being added by the origin (which it isn’t). The leaves Cloudflare.

It doesn’t really leave Cloudflare. Plenty of cases where an origin returns different responses depending on the request. We keep saying it, but Cloudflare is not adding the header. I guess I’ll caveat that with “unless they’ve massively changed their infrastructure overnight”.

IP address?

EDIT: Probably CF-Connecting-IP

1 Like

Let me make myself clearer then:

Backend = No header
Backend + Cloudflare = Header from Backend (NOT from Cloudflare)

I really can’t make it any more obvious.

1 Like

As mentioned above, from https://wordpress.org/support/topic/caching-issues-14/ it’s coming from litespeed server only when cloudflare is used https://wordpress.org/support/topic/caching-issues-14/

https://openlitespeed.org/release-log/legacy-releases/ 1.4.46

  • [Improvement] Added “X-Turbo-Charged-By” response header when CF IP is set.
2 Likes

This topic was automatically closed 60 minutes after the last reply. New replies are no longer allowed.